What is vishing? Defend against voice phishing attacks

Vishing or voice phishing are calls from unreliable people posing as trusted individuals or companies. The deceptive phone calls encourage targets to reveal personal information or grant access to bank accounts. 

Like most phishing, vishing heavily relies on social engineering to trick victims into playing along. Voice scams can be highly convincing. The phishing attackers might have impressive details about the victims. Furthermore, they might spoof caller IDs to show trusted companies. 

This article discusses how to detect vishing scams and avoid being tricked by various caller claims.

What is the vishing attack?

Vishing (meaning “voice” and “phishing”) is an attempt to gain valuable information through a phone call. Cybercriminals practice social engineering to take advantage of people’s emotions. 

• They use personalized calls or robocall messages to cause a sense of urgency and fear. 
• Sometimes, the intended effect is the opposite – to trigger curiosity or excitement.
• Voice phishers can pretend to be from government entities, banks, reputable organizations, or family members. 
• Vishing aims to convince the victim to give out personal information. Personal details such as Social Security numbers, credit card details, PINs, or passwords pave the way for identity theft and financial fraud.

Smishing vs. vishing vs. phishing 

Smishing refers to fraudulent SMS text messages or instant messages. On the other hand, vishing is a type of phishing that focuses on deceptive phone calls. Finally, phishing is a general term for all fraud via email, SMS, or calls. 

Common vishing techniques

Voice phishing uses various means to convince victims to act. Besides following call scripts, they might use other methods to make their scams more believable. 

Caller ID spoofing

Most vishing attacks rely on caller ID spoofing, which makes the call appear as if it’s from an official source. This method can also localize the number to make you more compelled to pick it up. 

Voice cloning

Attackers can use convincing vocalization synthesis, such as automated voice messages. Scammers have also abused software for AI voice generation to mimic voices of victims’ loved ones. 

Callers know about victims 

Vishing attacks require research on potential targets. Criminals can learn much from social media profiles, public records, or previous data breaches. Thus, vishing calls sound more convincing if the scammers present accurate personal details. 

Then, spear vishing happens when voice phishing targets particular people. 

Voice over Internet Protocol (VoIP) scams 

Scammers might exploit VoIP services to generate fake numbers or spoof caller IDs. Thus, you might also receive fraudulent calls via services like Telegram, Viber, etc.

How vishing works

Social engineering attackers can follow different strategies, from automated messages to live calls with victims. Here is a scenario of how a vishing scam can occur:

• Imagine you receive a call from a number registered in your area. It shows the name of a company you instantly recognize. 
• You might answer the call, assuming it comes from a trusted source. 
• A robotic voice informs you that someone made fraudulent transactions from your bank account. 
• To secure it, you need to call the given number as soon as possible – your money is at risk.
• You need to confirm your identity and ownership of the compromised account when you call the provided phone number. 
• You agree to share your account information and credit card details to resolve the security issues. 
• In reality, you’ve just given the most sensitive information to the con artist directly and fallen victim to a vishing attack.

Vishing attack examples

Although vishing can take several forms, here are some of the common techniques:

Bank fraud

Scammers claim fraud or suspicious activity detected on your bank account. Victims need to provide their financial information to resolve such issues. Thus, scammers try to gain access to victims’ bank accounts.

Prizes and sweepstakes scams

The attacker notifies you about the prize you just won. However, you can redeem the gift only after paying the shipping fees. However, the visher asks you to provide the credit card information to cover these expenses.

Voice phishing and malware

Criminals pair vishing with the distribution of malware. Experts have described FakeCalls malware that begins as a fraudulent banking application. Then, the malicious app places calls to victims and play automated messages.

Tax scam

You supposedly have unpaid taxes and owe the Internal Revenue Service (IRS) money. If you don’t pay it immediately, authorities will issue a warrant for your arrest.

Experts have also warned about scammers posing as SSA (Social Security Administration). It alleges suspicious activity and claims the victims’ social security number has been suspended. 

Medicare scam

Scammers claim that victims’ medicare card has expired, and they are due to get a new one. The representative must confirm your identity by receiving your social security number to replace it.

Relationship fraud

The criminal pretends to be a close family member who needs immediate help. The member, often a grandson or a granddaughter, allegedly suffered from some accident. They are in a hospital or jail, and a certain amount is needed to ensure their safety.

How to prevent vishing

1. Never give out personal information over the phone

Reputable companies and banks won’t require sensitive information over the phone, like credit card numbers or Social Security IDs. 

If the call seems genuine, you can drop the call and dial them using the official numbers.

2. Think twice, and don’t be impulsive

Although it’s easy to give in under pressure, a frantic sense of urgency is a huge red flag.

3. Use a VPN

Vishers are smart enough to track your whereabouts to localize spoofed phone numbers. Luckily, VPN conceals your IP address along with the geographical location associated with it. It is not possible for fraudsters to accurately pretend to be from a specific area by disguising their real phone number.

4. Never answer Spam Risk calls

Some calls get marked as Spam Risk automatically. If you receive such a call, do not answer it or engage in conversation. It is likely that your service provider has already received complaints about this number. 

5. Join the National Do Not Call Registry 

Add your number to the Do Not Call Registry to prevent telemarketers from calling you. However, that affects legitimate callers, and vishing scammers will still try to reach you.

6. Share less information online

Limit the information you share on social media and other public channels. The more information you post, the easier it is for crooks to craft convincing phishing scams.